affordableCebu
Home » Questions » Computers [ Ask a new question ]

SSH tunneling in an airport

SSH tunneling in an airport

being at home, I know how to establish ssh tunnels between the work gateway. The main thing is for the gateway, to be able to establish a ssh connection with my machine at home. I do this setting the NAT options of the wifi router.

Asked by: Guest | Views: 206
Total answers/comments: 2
Guest [Entry]

"I recommend the 'soht' project to create tunnels over HTTP.
You have to know the proxy hostname and port.
At home you need a running tomcat server with 'soht' deployed, maybe in conjunction with an apache reverse-proxy."
Guest [Entry]

"Are you trying to create an outbound tunnel from your PC to work, or an inbound tunnel from work to your PC?

If the former, then you're probably running into a situation where the provider's firewall is blocking everything other than HTTP/HTTPS over specific ports. This is unusual: I can't remember the last time that I've had arbitrary outbound traffic blocked, and usually have no problem using SSH to get to my home machine. If you are getting blocked, then some sort of HTTP tunneling (as suggested by other posters) would be the only option -- although I can't begin to imagine the overhead this must imply.

If the issue is that you can't open a connection from work to your airport-situated laptop (and I'm assuming this is what you want since you talked about NAT settings), well, you're going to be out of luck for a direct connection. You almost certainly have a private IP behind the airport's firewall, so there would be no way to route packets to you.

The alternative is to establish two tunnels, with a trusted host (your home machine) in the middle. You'll need to open two ports in your firewall: your normal SSH port (22, but see below), and another port -- say, 2201. From work, open a reverse tunnel to your home machine, using an argument such as 2201:localhost:22 -- all connections to port 2201 on your home machine will be tunneled to port 22 on your work machine. Then open a forward tunnel from your laptop to your home machine, using an argument such as 22:localhost:2201 -- all connections to port 22 on your laptop will be forwarded to 2201 on the home machine.

This is, of course, not an optimal setup. Not only do you have a handoff in the middle, but if you have ADSL (like I do) you'll be hit by the slow upload speeds. All-in-all, traditional VPN is probably a better choice (again an assumption: you're using SSH because your traditional VPN is too slow).

On a side note: opening port 22 on your home firewall is not a good idea: sooner or later you will be attacked. Even if it doesn't lead to getting hacked, the attackers will chew up bandwidth and disk space (the first and only time it happened to me, the auth log grew to many megabytes within the space of an hour -- then I hit slapped myself for being stupid and closed the port -- doesn't matter that my passwords aren't subject to dictionary attack, it's still a bad idea to leave doors unlocked).

Edit: to get sshd to listen to additional ports, edit the file /etc/ssh/sshd_config (Windows users, you're on your own), and add additional Port directives (look for the existing ""Port 22"" entry):

# What ports, IPs and protocols we listen for
Port 22
Port 2201"